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Certificate 

tbsCertif ic 
signatureAlgorithm 
signature 



UENCE { 



TBSCertif icate, 
Algorithmldentif ier, 
BIT STRING } 



TBSCertif icate :: = SEQUENCE { 



version [0] 

serialNumber 

signature 

issuer 

validity 

subject 

subj ectPublicKeylnf o 
issuerUniquelD [1] 
subjectUniquelD [2] 
extensions [3] 



Version DEFAULT vl, 

Cert if icateSerialNumber , 

Algorithmldentif ier , 

Name , 

Validity, 

Name, 

Subj ectPublicKey Info, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version 



INTEGER { vl (0) , v2 (1) , v3 (2) } 



Cert if icateSerialNumber 

Validity ::= SEQUENCE { 
notBef ore 
notAf ter 

Time : := CHOICE { 
utcTime 
generalTime 

Uniqueldentif ier : 

Subj ectPublicKey Info : 
algorithm 
subj ectPublicKey 



: = INTEGER 



Time, 
Time } 



UTCTime, 

GeneralizedTime } 



BIT STRING 



SEQUENCE { 

Algorithmldentif ier , 
BIT STRING } 



Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 
Extension ::= SEQUENCE { 



extnID 

critical 

extnValue 



OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 
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AttributeCertif icate : : = 
acinf o 

signatureAlgorithm 
signatureValue 

} 



*CE { 

ributeCertif icatelnf o, 
Algorithmldentif ier, 
BIT STRING 



AttributeCertif icatelnfo : := 
version 
holder 
issuer 
signature 
serialNumber 
attrCertValidityPeriod 
attributes 
issuerUniquelD 
extensions 



SEQUENCE { 
AttCertVersion DEFAULT vl , 
Holder, 

At t Cert Issuer, 
Algorithmldentif ier , 
Cert if icateSerialNumber , 
AttCertValidityPeriod, 
SEQUENCE OF Attribute, 
Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL 



} 



AttCertVersion 



INTEGER { vl (0) , v2 (1) } 



Holder : := SEQUENCE { 

baseCertif icatelD 



entityName 
objectDigestlnf o 



} 



[0] IssuerSerial OPTIONAL, 

the issuer and serial number of 
the holder's Public Key Certificate 
[1] GeneralNames OPTIONAL, 
-- the name of the claimant or role 
[2] ObjectDigestlnfo OPTIONAL 
-- if present, version must be v2 



ObjectDigestlnfo ::= SEQUENCE { 

digestedObjectType ENUMERATED { 



publicKey 
publicKeyCert 
otherObj ectTypes 



otherObjectTypelD 
digest Algorithm 
objectDigest 



(0) , 

(1) , 

(2) }, 

-- otherObj ectTypes MUST NOT 
-- be used in this profile 

OBJECT IDENTIFIER OPTIONAL, 

Algorithmldentif ier , 

BIT STRING 
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V2Form ::= SEQUENCE { 

issuerName GeneralNames OPTIONAL, 

baseCertificatelD [0] IssuerSerial OPTIONAL, 
objectDigestlnfo [1] ObjectDigestlnfo OPTIONAL 
» at least one of issuerName, baseCertificatelD 
- or objectDigestlnfo MUST be present} 

IssuerSerial ::= SEQUENCE { 

issuer GeneralNames, 

serial CertificateSerialNumber, 

issuerUID Uniqueldentifier OPTIONAL 

} 

AttCertValidityPeriod ::= SEQUENCE { 
notBeforeTime GeneralizedTime, 
notAfterTime GeneralizedTime 

} 

Attribute ::= SEQUENCE { 

type AttributeType, 
values SET OF AttributeValue 
- at least one value is required 

} 

AttributeType ::= OBJECT IDENTIFIER 
AttributeValue ::= ANY DEFINED BY AttributeType 
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PKCIocator ::= SEQUENCE { 

holderPKCIocator [0] GeneralNames OPTIONAL, 
authority PKCIocator [1] GeneralNames OPTIONAL 

} 

wherein GeneralNames is defined by IETF RFC2459 as 
GeneralNames SEQUENCE SIZE (1..MAX) OF GeneralName 



AttCertlssuer ::= CHOICE { i 

vlForm GeneralNal^pP- v1 or v2 

v2Form [0] V2Form - v2 only 

} 



m 



GeneralName ::= CHOICE { 



otherName 


[0] 


rfc822Name 


[1] 


dNSName 


[2] 


x400Address 


[3] 


directoryName 


[4] 


ediPartyName 


[5] 


uniformResourceldentifier 


[6] 



iPAddress 
registeredID 

} 



[7] 
[8] 



OtherName; 

IA5String, 

lASString, 

ORAddress, 

Name, 

EDIPartyName, 
lASString, 
OCTET STRING, 
OBJECT IDENTIFIER 



Figure 6 



BEGIN ^ 



1 
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r 
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704 




r 



TARGET SERVICE EXTRACTS LOCATOR FOR USER'S PKC FROM DISTRIBUTED TRUST PATH LOCATOR 

706 
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708 
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